Judicial interpretation helps clarify existing laws, influencing the development of state-specific regulations, and addressing challenges brought by new technology. As courts interpret laws to adjust to societal changes, existing legislation can remain dynamic and in line with modern data privacy needs.
The Health Insurance Portability and Accountability Act’s (HIPAA) Privacy Rule sets a baseline for patient privacy that overrides less protective state laws while allowing states to implement stricter regulations if desired.
The rule is then operationalized by the Security and Breach Notification Rule. The Security Rule addresses challenges from digital health records and electronic communications in healthcare settings, while the notification rule establishes enforcement mechanisms. HIPAA’s regulatory framework protects data privacy in healthcare settings by serving as a baseline from which judicial interpretations and legislative updates stem.
This Connecticut case establishes a new cause of action for violations of patient healthcare privacy. The Connecticut Supreme Court ruled that unauthorized disclosures of medical information could lead to state law claims, showing that HIPAA could determine when negligence claims are legitimate.
An article published in the Connecticut Bar Association Magazine states, “Based on state, federal, and sister state law, the court decided that a patient should have a civil remedy against a health care provider for the unauthorized disclosure of confidential information 'unless the disclosure is otherwise allowed by law.'” The decision set a precedent for future cases regarding healthcare providers’ responsibilities to protect PHI.
The federal court upheld privacy claims against a hospital for using tracking technologies that allegedly disclosed patients’ confidential information without consent. The court recognized a fiduciary duty (I.e. a legal responsibility of care and confidentiality) between provider and patient, allowing for claims of negligence and a breach of fiduciary duty to proceed.
Although not strictly a healthcare case, it involved allegations that Facebook tracked users visiting healthcare websites, collecting PHI without consent. The plaintiffs argued that this tracking violated federal laws and their data privacy rights under the California Constitution. The case shows the complexities of data privacy in the healthcare context, especially considering third-party data collection practices can compromise patient confidentiality.
Related: Meta sued for collecting patients’ private health data
The most recent case in the list, Change Healthcare faced a ransomware attack on multiple systems resulting in multiple lawsuits that were consolidated alleging negligence. There were also allegations of a breach of contract due to compromised PHI. The litigation revealed the legal ramifications faced when they fail to adequately protect PHI from cyber threats.
Related: UHG faces legal storm over Change Healthcare data breach.
Data generated by noncovered entitled and deidentified data (stripped of personal identifiers) can be shared freely without HIPAA restrictions once it meets specific criteria outlined by the Privacy Rule.
When health data is shared across multiple platforms, there is an increased risk of unauthorized access or breaches especially if those platforms do not adhere to HIPAA.
Consumer health applications like Gmail collect vast amounts of personal health information that may not be subject to the same regulatory standards as HIPAA compliant email platforms like Paubox.